b'March 2011\n\n\nINFORMATION SECURITY\nEvaluation of GAO\xe2\x80\x99s Program and Practices\nfor Fiscal Year 2010\n\nObjectives: GAO is not obligated by law to comply with, but has adopted, the\nrequirements of the Federal Information Security Management Act of 2002\n(FISMA) to strengthen its information security program and demonstrate its\nongoing commitment to lead by example. GAO\xe2\x80\x99s Office of Inspector General\n(OIG) conducted an evaluation to assess (1) the effectiveness of the agency\xe2\x80\x99s\ninformation security policies, procedures, and practices, and (2) agency\ncompliance with the information security requirements of FISMA and other\nfederal information security policies, procedures, standards, and guidelines.\n(A full report on this evaluation was prepared for GAO internal use only.)\n\nFindings: The OIG\xe2\x80\x99s evaluation showed that GAO has established an\ninformation security program that is generally consistent with the\nrequirements of FISMA, Office of Management and Budget (OMB)\nimplementing guidance, and standards and guidance issued by the National\nInstitute of Standards and Technology. However, using evaluation metrics\nprovided by OMB for inspectors general, the OIG also identified improvement\nopportunities for specific elements of this program that concern\n\xef\x82\xb7   identifying the agency\xe2\x80\x99s systems inventory and assuring that all systems\n    operated by GAO or by contractors meet security requirements,\n\n\xef\x82\xb7   implementing additional computer scanning capabilities to test security\n    configuration settings,\n\n\xef\x82\xb7   remediating configuration-related vulnerabilities in a timely manner,\n\n\xef\x82\xb7   ensuring that contractors have access to required role-based security\n    awareness training, and\n\n\xef\x82\xb7   planning for further implementation of the personal identity verification\n    requirements of Homeland Security Presidential Directive 12 (HSPD-12).\n\nRecommendations: This report recommends that GAO (1) incorporate\nprocedures within its annual systems inventory process that require inventory\nchanges to be documented and formally approved by the Chief Information\nOfficer and that system interfaces be identified, (2) identify and pursue\nadditional options for obtaining assurances that certain contractor systems\nmeet federal information security requirements, (3) continue efforts to\ncomplete and document required information security processes and\nprocedures for all GAO-operated systems, (4) proceed with plans to establish\na security configuration scanning capability for GAO notebook computers\nand workstations, (5) incorporate changes to the configuration management\nprocess that remediate specific open configuration-related vulnerabilities,\n(6) ensure that access to annual role-based information security training or its\nequivalent is provided for all contractor staff required to take this training,\nand (7) develop and brief senior management on a plan for practical\nimplementation of HSPD-12 requirements. GAO concurred with these\nrecommendations.\n\n\n\n                                                                 GAO/OIG-11-3\n\x0c                          To report fraud, waste, and abuse in GAO\xe2\x80\x99s internal operations, do one of\nReporting Fraud,          the following. (You may do so anonymously.)\nWaste, and Abuse in\n                      \xe2\x80\xa2   Call toll-free (866) 680-7963 to speak with a hotline specialist, available 24\nGAO\xe2\x80\x99s Internal            hours a day, 7 days a week.\nOperations\n                      \xe2\x80\xa2   Send an e-mail to OIGHotline@gao.gov.\n\n                      \xe2\x80\xa2   Send a fax to the OIG Fraud, Waste, and Abuse Hotline at (202) 512-8361.\n\n                      \xe2\x80\xa2   Write to:\n                          GAO Office of Inspector General\n                          441 G Street NW, Room 1808\n                          Washington, DC 20548\n\n                          To obtain copies of OIG reports and testimony, go to GAO\xe2\x80\x99s Web site:\nObtaining Copies of       www.gao.gov/about/workforce/ig.html.\nGAO/OIG Reports and\nTestimony\n\n                          Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400\nCongressional             U.S. Government Accountability Office, 441 G Street NW, Room 7125\nRelations                 Washington, DC 20548\n\n                          Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800\nPublic Affairs            U.S. Government Accountability Office, 441 G Street NW, Room 7149\n                          Washington, DC 20548\n\n\n\n\n                          This is a work of the U.S. government and is not subject to copyright protection in the\n                          United States. The published product may be reproduced and distributed in its entirety\n                          without further permission from GAO. However, because this work may contain\n                          copyrighted images or other material, permission from the copyright holder may be\n                          necessary if you wish to reproduce this material separately.\n\n\n\n\n                                 Please Print on Recycled Paper\n\x0c'